Bug Bytes #148 – Google SSRF filmed, A 1 N/A bug to $15k & Tuning raced conditions
By Anna Hammond
November 24, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from November 15 to 22.
Intigriti news
Why join Intigriti? Here’s 16 reasons why you’ll love working here
Increase in the Intigriti program’s bounty table
Our favorite 5 hacking items
1. Video of the week
Reacting to myself finding an SSRF vulnerability in Google Cloud & Blog post (Google, $10,401.1)
@xdavidhu discovered an SSRF on Google Cloud and filmed the entire process from the bug’s discovery, to exploiting it for RCE, creating the PoC, reporting it, then bypassing the fix.
If you’ve ever dreamed of peeking over the shoulder of a bug hunter while they are finding a critical bug (not just doing recon or practicing in a lab), this is a truly rare opportunity.
2. Writeups of the week
Finding Zero-Day Vulnerabilities in the Supply Chain
How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud (Atlassian, $15,000)
The first writeup is about CSTI, bypassing signed requests (with a JavaScript breakpoint), and exploiting an SSRF with the SMB scheme to steal NTLM hashes. The techniques are not new but @0xLupin does an amazing job of explaining these critical pentest findings, and showing how to escalate the bugs’ impact as much as possible.
The second writeup by @Krevetk0Valeriy is about issues in the Atlassian Cloud’s registration flow. This is an interesting read if you like authentication bugs, or an example of digging deep into strange behaviors so that an N/A turns into a $15k finding.
3. Resource of the week
FirstBloodv2 disclosed reports
BugBountyHunter disclosed writeups submitted by members during their last Hackevent, FirstBlood v2. If you can’t get enough of bug bounty writeups, this is a nice collection to explore whether you are interested in server-side, client-side or logic vulnerabilities.
4. Tools of the week
ChronoRace is a Python tool for fine-tuning race condition attacks. @itscachemoney used it to execute carefully timed race condition attacks that circumvent application business logic, such as this email confirmation bypass on Shopify.
If HTTP request smuggling is more your thing, you might be interested in h2rs. This Python tool by @ricardo_iramar can detect request smuggling via HTTP/2 downgrades.
5. Conference of the week
Swiss Cyber Storm 2021 & Slides, especially:
Impact of Frameworks on Security of JavaScript applications By Ksenia Peguero
Bug Bounty Switzerland: Tales and Vulnerabilities from our Bug Bounty Adventures
Patterns and anti-patterns in software development By Philippe de Ryck
I haven’t heard of Swiss Cyber Storm before, but wish I did. These talks are excellent and particularly relevant to Web app testers. Make sure to give them a watch for the state-of-the art of mutation XSS, JavaScript apps security or interesting bug bounty tales.
Other amazing things we stumbled upon this week
Videos
Podcasts
Webinars
Conferences
Using binary search algorithms for blind SQL injection by Juan Pablo Quiñe Paz
Ekoparty 2021: Main Track & Bug Bounty Space, especially:
Conference slides, material & whitepapers
XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers & XSinator.com (XS-Leak browser test suite)
DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale, DoubleX tool repo & Tutorial
Out of Sight, Out of Mind: Detecting Orphaned Web Pages at Internet-Scale
Ceterum censeo: Visited esse delendam & Research has come a long way, but gaps remain – security researcher Artur Janc on the state of XS-Leaks
Tutorials
A simple Data Exfiltration! (Blind XXE via Excel file upload)
Writeups
Challenge writeups
Pentest writeups
Pentest tale – Dumping cleartext credentials from antivirus #Windows #PostExploitation
Finding a 0 Day Race Condition #ThickClient
Responsible(ish) disclosure writeups
All Roads Lead To OpenVPN: Pwning Industrial Remote Access Clients #VPN #Web
PoC of CVE-2021-42321, Exchange Post-Auth RCE & Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321) #Web
CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable #Kubernetes
Diving into Open-source LMS Codebases #Web #CodeReview
Bug bounty writeups
CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory (Microsoft)
The tale of CVE-2021–34479 (VSCode XSS) (Microsoft)
See more writeups on The list of bug bounty writeups.
Tools
TProxer: A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF
hakfindinternaldomains: Go tool that takes a list of subdomains, resolves them and tells you which ones are internal
Jira-Lens: Fast and customizable vulnerability scanner For JIRA written in Python
Tips & Tweets
Misc. pentest & bug bounty resources
Challenges
HackTheBox Secret CTF 2021 (December 1-5)
TryHackMe’s Advent of Cyber 3 (2021) (December 1-25)
2021 Metasploit Community CTF (December 3-6)
Articles
New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk
GitHub Apps – How to avoid leaking your customer’s source code with GitHub apps
Bug bounty & Pentest news
Black Friday
Bug bounty
Upcoming events
YASCON 2021 (November 28)
Tool updates
Non technical
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023